Access control lists
This page describes details about the permissions available for the different workspace objects.
Access control lists overview
In SAP Databricks, you can use access control lists (ACLs) to configure permission to access workspace level objects. Workspace admins have the CAN MANAGE permission on all objects in their workspace, which gives them the ability to manage permissions on all objects in their workspaces. Users automatically have the CAN MANAGE permission for objects that they create.
Manage access control lists with folders
You can manage workspace object permissions by adding objects to folders. Objects in a folder inherit all permissions settings of that folder. For example, a user that has the CAN RUN permission on a folder has CAN RUN permission on the alerts in that folder.
If you grant a user access to an object inside the folder, they can view the parent folder's name, even if they do not have permissions on the parent folder. For example, a notebook named test1.py is in a folder named Workflows. If you grant a user CAN VIEW on test1.py and no permissions on Workflows, the user can see that the parent folder is named Workflows. The user cannot view or access any other objects in the Workflows folder unless they have been granted permissions on them.
Alerts ACLs
Ability | NO PERMISSIONS | CAN RUN | CAN MANAGE |
|---|---|---|---|
See in alert list | ✓ | ✓ | |
View alert and result | ✓ | ✓ | |
Manually trigger alert run | ✓ | ✓ | |
Subscribe to notifications | ✓ | ✓ | |
Edit alert | ✓ | ||
Modify permissions | ✓ | ||
Delete alert | ✓ |
File ACLs
Ability | NO PERMISSIONS | CAN VIEW | CAN RUN | CAN EDIT | CAN MANAGE |
|---|---|---|---|---|---|
Read file | ✓ | ✓ | ✓ | ✓ | |
Comment | ✓ | ✓ | ✓ | ✓ | |
Attach and detach file | ✓ | ✓ | ✓ | ||
Run file interactively | ✓ | ✓ | ✓ | ||
Edit file | ✓ | ✓ | |||
Modify permissions | ✓ |
The workspace UI refers to view-only access as CAN VIEW, while the Permissions API uses CAN READ to represent the same level of access.
Folder ACLs
Ability | NO PERMISSIONS | CAN VIEW | CAN EDIT | CAN RUN | CAN MANAGE |
|---|---|---|---|---|---|
List objects in folder | ✓ | ✓ | ✓ | ✓ | ✓ |
View objects in folder | ✓ | ✓ | ✓ | ✓ | |
Clone and export items | ✓ | ✓ | ✓ | ||
Run objects in the folder | ✓ | ✓ | |||
Create, import, and delete items | ✓ | ||||
Move and rename items | ✓ | ||||
Modify permissions | ✓ |
Git folder ACLs
Ability | NO PERMISSIONS | CAN READ | CAN RUN | CAN EDIT | CAN MANAGE |
|---|---|---|---|---|---|
List assets in a folder | ✓ | ✓ | ✓ | ✓ | ✓ |
View assets in a folder | ✓ | ✓ | ✓ | ✓ | |
Clone and export assets | ✓ | ✓ | ✓ | ✓ | |
Run executable assets in folder | ✓ | ✓ | ✓ | ||
Edit and rename assets in a folder | ✓ | ✓ | |||
Create a branch in a folder | ✓ | ||||
Switch branches in a folder | ✓ | ||||
Pull or push a branch into a folder | ✓ | ||||
Create, import, delete, and move assets | ✓ | ||||
Modify permissions | ✓ |
Job ACLs
Ability | NO PERMISSIONS | CAN VIEW | CAN MANAGE RUN | IS OWNER | CAN MANAGE |
|---|---|---|---|---|---|
View job details and settings | ✓ | ✓ | ✓ | ✓ | |
View results | ✓ | ✓ | ✓ | ✓ | |
Run now | ✓ | ✓ | ✓ | ||
Cancel run | ✓ | ✓ | ✓ | ||
Edit job settings | ✓ | ✓ | |||
Delete job | ✓ | ✓ | |||
Modify permissions | ✓ | ✓ |
- The creator of a job has the IS OWNER permission by default.
- A job cannot have more than one owner.
- A group cannot be assigned the Is Owner permission as an owner.
- Jobs triggered through Run Now assume the permissions of the job owner and not the user who issued Run Now.
- Jobs access control applies to jobs displayed in the Lakeflow Jobs UI and their runs. It doesn't apply to:
-
Notebook workflows that run modular or linked code. These use the permissions of the notebook itself. If the notebook comes from Git, a new copy is created and its files inherit the permissions of the user who triggered the run.
-
Jobs submitted by API. These use the notebook's default permissions unless you explicitly set the
access_control_listin the API request.
-
MLflow experiment ACLs
MLflow experiment ACLs are different for notebook experiments and workspace experiments. Notebook experiments cannot be managed independently of the notebook that created them, so the permissions are similar to notebook permissions.
Notebook ACLs
Ability | NO PERMISSIONS | CAN VIEW | CAN RUN | CAN EDIT | CAN MANAGE |
|---|---|---|---|---|---|
View cells | ✓ | ✓ | ✓ | ✓ | |
Comment | ✓ | ✓ | ✓ | ✓ | |
Run using %run or notebook workflows | ✓ | ✓ | ✓ | ✓ | |
Attach and detach notebooks | ✓ | ✓ | ✓ | ||
Run commands | ✓ | ✓ | ✓ | ||
Edit cells | ✓ | ✓ | |||
Modify permissions | ✓ |
Query ACLs
Ability | NO PERMISSIONS | CAN VIEW | CAN RUN | CAN EDIT | CAN MANAGE |
|---|---|---|---|---|---|
View own queries | ✓ | ✓ | ✓ | ✓ | |
See in query list | ✓ | ✓ | ✓ | ✓ | |
View query text | ✓ | ✓ | ✓ | ✓ | |
View query result | ✓ | ✓ | ✓ | ✓ | |
Refresh query result (or choose different parameters) | ✓ | ✓ | ✓ | ||
Include the query in a dashboard | ✓ | ✓ | ✓ | ||
Change SQL warehouse or data source | ✓ | ✓ | ✓ | ||
Edit query text | ✓ | ✓ | |||
Modify permissions | ✓ | ||||
Delete query | ✓ |
Secret ACLs
Ability | READ | WRITE | MANAGE |
|---|---|---|---|
Read the secret scope | ✓ | ✓ | ✓ |
List secrets in the scope | ✓ | ✓ | ✓ |
Write to the secret scope | ✓ | ✓ | |
Modify permissions | ✓ |
Serving endpoint ACLs
Ability | NO PERMISSIONS | CAN VIEW | CAN QUERY | CAN MANAGE |
|---|---|---|---|---|
Get endpoint | ✓ | ✓ | ✓ | |
List endpoint | ✓ | ✓ | ✓ | |
Query endpoint | ✓ | ✓ | ||
Update endpoint config | ✓ | |||
Delete endpoint | ✓ | |||
Modify permissions | ✓ |
SQL warehouse ACLs
Ability | NO PERMISSIONS | CAN VIEW | CAN MONITOR | CAN USE | IS OWNER | CAN MANAGE |
|---|---|---|---|---|---|---|
Start the warehouse | ✓ | ✓ | ✓ | ✓ | ||
View warehouse details | ✓ | ✓ | ✓ | ✓ | ✓ | |
View warehouse queries | ✓ | ✓ | ✓ | ✓ | ||
Run queries | ✓ | ✓ | ✓ | ✓ | ||
View warehouse monitoring tab | ✓ | ✓ | ✓ | ✓ | ||
Stop the warehouse | ✓ | ✓ | ||||
Delete the warehouse | ✓ | ✓ | ||||
Edit the warehouse | ✓ | ✓ | ||||
Modify permissions | ✓ | ✓ |
Vector search endpoint ACLs
Ability | NO PERMISSIONS | CAN CREATE | CAN USE | CAN MANAGE |
|---|---|---|---|---|
Get endpoint | ✓ | ✓ | ✓ | |
List endpoints | ✓ | ✓ | ✓ | |
Create endpoint | ✓ | ✓ | ✓ | |
Use endpoint (create index) | ✓ | ✓ | ||
Delete endpoint | ✓ | |||
Modify permissions | ✓ |